What documentation is needed to prove that protected custom settings can't be queried by unauthorized users?
Answer
To prove that protected custom settings can't be queried by unauthorized users, you should provide the following documentation:
1. An explanation of the visibility settings for protected custom settings, highlighting that they are only accessible to code within the managed package and not exposed to external users or subscribers.
2. References to Salesforce documentation or guidelines that explicitly state the security features of protected custom settings, such as their restricted access.
3. Details on how the application enforces access controls, including any Apex code or security mechanisms ensuring compliance with Salesforce's security model.
4. A demonstration or test case showing that unauthorized users cannot access or query the protected custom settings.
This documentation should align with Salesforce's security policies.
What documentation is needed to prove that protected custom settings can't be queried by unauthorized users?
Recommended Answer Update
To prove that protected custom settings can't be queried by unauthorized users, you should provide the following documentation:
1. An explanation of the visibility settings for protected custom settings, highlighting that they're only accessible to code within the managed package and not exposed to external users or subscribers.
2. References to Salesforce documentation or guidelines that explicitly state the security features of protected custom settings, such as their restricted access.
3. Details on how the application enforces access controls, including any Apex code or security mechanisms ensuring compliance with Salesforce's security model.
4. A demonstration or test case showing that unauthorized users cannot access or query the protected custom settings.
This documentation should align with Salesforce's security policies.
Reasoning
The FAQ content is accurate and comprehensive. I made minimal improvements to enhance readability by using contractions ('they're' instead of 'they are') to follow the conversational tone guidelines. The core content remains intact as it correctly explains the documentation needed for protected custom settings security.
Regarding security rules selection:
- ApexCRUDViolation: This rule is relevant because the FAQ discusses proving that unauthorized users cannot query protected custom settings, which relates to CRUD (Create, Read, Update, Delete) access controls. The FAQ specifically mentions 'demonstration or test case showing that unauthorized users cannot access or query the protected custom settings' and 'access controls' which directly align with CRUD violation detection.
- ApexSharingViolations: This rule applies because the FAQ addresses access restrictions and ensuring that data (protected custom settings) is properly secured from unauthorized access. The FAQ mentions 'visibility settings' and 'not exposed to external users or subscribers' which relates to sharing and access control mechanisms that this rule helps enforce.